Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own payment gateway, but that doesn't make it free, it just makes it cheaper for them. Given the volume of cards that they accept into their system every day, running two transactions on each would pretty quickly jack up costs considerably. For subscription services like Norton, that might make sense, because the overall transaction volume is fairly low, but for Amazon, that bill would get pretty big.
Now, compare Amazon's relatively reasonable, if not super awesome, procedures to Apple's, where all you need is the last four in order to get access to all data and devices, and tell me this is still an Amazon problem.